initial work toward 'leap test'. for now, it generates an openvpn config for client testing. try 'leap init-test'

2 files changed, 67 insertions, 2 deletions

diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb
index 5aa0cde..05bdb2b 100644
--- a/lib/leap_cli/commands/ca.rb
+++ b/lib/leap_cli/commands/ca.rb
@@ -144,7 +144,7 @@ module LeapCli; module Commands
           cert.not_before = today
           cert.not_after  = years_from_today(1)
           cert.parent = ca_root
-          cert.sign! test_cert_signing_profile
+          cert.sign! domain_test_signing_profile
           write_file! [:commercial_cert, manager.provider.domain], cert.to_pem
           log "please replace this file with the real certificate you get from a CA using #{Path.relative_path([:commercial_csr, manager.provider.domain])}"
         end
@@ -217,6 +217,19 @@ module LeapCli; module Commands
     write_file!([:node_x509_cert, node.name], cert.to_pem)
   end
 
+  def generate_test_client_cert
+    cert = CertificateAuthority::Certificate.new
+    cert.serial_number.number = cert_serial_number(manager.provider.domain)
+    cert.subject.common_name = random_common_name(manager.provider.domain)
+    cert.not_before = today
+    cert.not_after  = years_from_today(1)
+    cert.key_material.generate_key(1024) # just for testing, remember!
+    cert.parent = ca_root
+    cert.sign! client_test_signing_profile
+    write_file! :test_client_key, cert.key_material.private_key.to_pem
+    write_file! :test_client_cert, cert.to_pem
+  end
+
   def ca_root
     @ca_root ||= begin
       load_certificate_file(:ca_cert, :ca_key)
@@ -277,7 +290,7 @@ module LeapCli; module Commands
   # with our own CA (for testing purposes). Typically, this cert would
   # be purchased from a commercial CA, and not signed this way.
   #
-  def test_cert_signing_profile
+  def domain_test_signing_profile
     {
       "digest" => "SHA256",
       "extensions" => {
@@ -291,6 +304,24 @@ module LeapCli; module Commands
     }
   end
 
+  #
+  # This is used when signing a dummy client certificate that is only to be
+  # used for testing.
+  #
+  def client_test_signing_profile
+    {
+      "digest" => "SHA256",
+      "extensions" => {
+        "keyUsage" => {
+          "usage" => ["digitalSignature", "keyAgreement"]
+        },
+        "extendedKeyUsage" => {
+          "usage" => ["clientAuth"]
+        }
+      }
+    }
+  end
+
   def dns_names_for_node(node)
     names = [node.domain.internal]
     if node['dns'] && node.dns['aliases'] && node.dns.aliases.any?
@@ -310,6 +341,14 @@ module LeapCli; module Commands
     Digest::MD5.hexdigest("#{domain_name} -- #{Time.now}").to_i(16)
   end
 
+  #
+  # for the random common name, we need a text string that will be unique across all certs.
+  # ruby 1.8 doesn't have a built-in uuid generator, or we would use SecureRandom.uuid
+  #
+  def random_common_name(domain_name)
+    cert_serial_number(domain_name).to_s(36)
+  end
+
   def today
     t = Time.now
     Time.utc t.year, t.month, t.day
diff --git a/lib/leap_cli/commands/test.rb b/lib/leap_cli/commands/test.rb
new file mode 100644
index 0000000..dc08652
--- /dev/null
+++ b/lib/leap_cli/commands/test.rb
@@ -0,0 +1,26 @@
+module LeapCli; module Commands
+
+  desc 'Creates files needed to run tests'
+  command :'init-test' do |c|
+    c.action do |global_options,options,args|
+      generate_test_client_cert
+      generate_test_client_openvpn_config
+    end
+  end
+
+  desc 'Run tests'
+  command :test do |c|
+    c.action do |global_options,options,args|
+      log 'not yet implemented'
+    end
+  end
+
+  private
+
+  def generate_test_client_openvpn_config
+    template = read_file! Path.find_file(:test_client_openvpn_template)
+    config = Util.erb_eval(template, binding)
+    write_file! :test_client_openvpn_config, config
+  end
+
+end; end